---
title: Bulk Certificates
summary: Available to Platform TLS customers, these endpoints streamline the upload, deployment and management of large numbers of TLS certificates. A certificate is used to terminate TLS traffic for one or more of your fully qualified domain names (domains). Uploading a new certificate automatically enables TLS for all domains listed as Subject Alternative Names (SAN entries) on the certificate.
url: https://www.fastly.com/documentation/reference/api/tls/platform
---

Available to Platform TLS customers, these endpoints streamline the upload, deployment and management of large numbers of TLS certificates. A certificate is used to terminate TLS traffic for one or more of your fully qualified domain names (domains). Uploading a new certificate automatically enables TLS for all domains listed as Subject Alternative Names (SAN entries) on the certificate.

## Data model

| Field | Type | Description |
|-------|------|-------------|
| `allow_untrusted_root` | boolean | Allow certificates that chain to untrusted roots. |
| `cert_blob` | string | The PEM-formatted certificate blob. Required. |
| `intermediates_blob` | string | The PEM-formatted chain of intermediate blobs. Required. |
| `relationships.tls_configurations.id` | string | Alphanumeric string identifying a TLS configuration. |
| `relationships.tls_domains.id` | string | The domain name. |
| `type` | string | Resource type. |
| `created_at` | string | Date and time in ISO 8601 format. (Read-only) |
| `deleted_at` | string | Date and time in ISO 8601 format. (Read-only) |
| `id` | string | Alphanumeric string identifying a TLS bulk certificate. (Read-only) |
| `not_after` | string | Time-stamp (GMT) when the certificate will expire. Must be in the future to be used to terminate TLS traffic. (Read-only) |
| `not_before` | string | Time-stamp (GMT) when the certificate will become valid. Must be in the past to be used to terminate TLS traffic. (Read-only) |
| `replace` | boolean | A recommendation from Fastly indicating the key associated with this certificate is in need of rotation. (Read-only) |
| `updated_at` | string | Date and time in ISO 8601 format. (Read-only) |

## API endpoints

### List certificates

**GET** `/tls/bulk/certificates`

List all certificates.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `filter[not_after]` | string | query | No | Filter the returned certificates by expiry date in UTC.  Accepts parameters: lt, lte, gt, gte (e.g., filter[not_after][lte]=2020-05-05). |
| `filter[not_before]` | string | query | No | Filter the returned certificates by not_before date in UTC.  Accepts parameters: lt, lte, gt, gte (e.g., filter[not_before][gte]=2020-05-05). |
| `filter[tls_domain.id]` | string | query | No | Filter certificates by their matching, fully-qualified domain name. |
| `page[number]` | integer | query | No | Current page. |
| `page[size]` | integer | query | No | Number of records per page. |
| `sort` | string | query | No | The order in which to list the results by creation date. |

### Upload a certificate

**POST** `/tls/bulk/certificates`

Upload a new certificate. TLS domains are automatically enabled upon certificate creation. If a domain is already enabled on a previously uploaded certificate, that domain will be updated to use the new certificate for all future TLS handshake requests.

### Get a certificate

**GET** `/tls/bulk/certificates/{certificate_id}`

Retrieve a single certificate.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `certificate_id` | string | path | Yes | Alphanumeric string identifying a TLS bulk certificate. |

### Delete a certificate

**DELETE** `/tls/bulk/certificates/{certificate_id}`

Destroy a certificate. This disables TLS for all domains listed as SAN entries.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `certificate_id` | string | path | Yes | Alphanumeric string identifying a TLS bulk certificate. |

### Update a certificate

**PATCH** `/tls/bulk/certificates/{certificate_id}`

Replace a certificate with a newly reissued certificate. By using this endpoint, the original certificate will cease to be used for future TLS handshakes. Thus, only SAN entries that appear in the replacement certificate will become TLS enabled. Any SAN entries that are missing in the replacement certificate will become disabled.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `certificate_id` | string | path | Yes | Alphanumeric string identifying a TLS bulk certificate. |